[sudo-users] Disabling "sudo su" but allow everything else?

Patrick Spinler spinler.patrick at mayo.edu
Mon Aug 2 16:33:48 EDT 2010

On 08/02/2010 02:14 PM, Paul Cantle wrote:
> Hi All,
> I'd also look to disable /bin/vi (without the /etc/sudoers flag by adding it to the RESTRICTED alias) as users will be able to shell out of vi by default and get a root shell anyway (which will kind of make !SHELLS irrelevant).

Be careful, this way madness lies.

Remember there's many programs that can spawn a shell, Some pages such 
as less for instance.  Certain editors (vi and emacs) and mail handlers. 
  The list goes on and on.

You'll either find yourself missing stuff, or rapidly back yourself into 
a corner.

Worse, even if you catch all the system installed exceptions, *nothing* 
prevents a user from doing:

   cp /bin/sh_of_choice  /some/writeable/directory/whee_i_have_privs
   sudo /some/writeable/directory/whee_i_have_privs

A much better approach is to deny everything by default, and selectively 
grant the few privs the user really needs.  For instance, here's a setup 
I might do on redhat for an apache server:

@group_to_priv		ALL=(root)	/sbin/service httpd *
@group_to_priv		ALL=(root)	sudoedit /etc/http.d/*.conf
@group_to_priv		ALL=(root)	/sbin/su - apache

-- Pat

More information about the sudo-users mailing list